Traveling Companions: Continuous Delivery and Security

Often found at the intersection of DevOps and security, creator of gauntlt and author of DevOps Fundamentals — a course on Lynda.com and LinkedIn Learning.

Security and Continuous Delivery. They are unlikely friends because security has historically taken an approach to do large batch testing, freeze development windows, and do annual compliance testing. These older approaches don’t work in the world of Continuous Delivery. In Continuous Delivery, there is a complete departure from traditional delivery cycles of months and quarters to times in minutes and seconds. One of the oft-quoted mantras of Continuous Delivery is that you should focus not just on speed but on how little can be delivered at a time — security has to move away from infrequent batch testing approaches to more agile approaches.

The Delivery Pipeline and Security’s Role

In the delivery pipeline, I like to think of these five stages.

Design

Inherit

Build

Deploy

Operate

Design is your intent for application and overall purpose. Inherit embodies the operating system, system dependencies, and libraries your application receives just by existing. Build is the step where everything comes together and is tested (unit, integration, smoke, …) by your CI system. Deploy is everything needed to get consumers of your application able to use it as intended. Lastly, operate is usage of the application in the real world — where rubber meets the road.

Introspective Questions for Security to Add Value

I was able to give a presentation on this topic last week at GOTO Amsterdam and we drilled in on 3 phases in particular for places where security can add value.

Operate — Am I being attacked right now and if yes, are the attackers having success?

With these three questions, this can be a guide for where to spend time and effort for security in organizations doing continuous delivery. If you are interested in this, you can seethe full presentationor comment on twitter @wickett or a comment over at medium.